I'm researching health data security issues and came across a requirement
for "immutable" electronic audit trails.
The people who write these standards can't be serious, can they? There is
no such thing as immutable electronic data. Are they really dumb enough to
assume that the data is "immutable" if you only provide read-only access to
it through your software, or set the read-only bit on the files?
The only relevant electronic "solution" I've seen for this appears to be
some sort of "lockbox" software that can be applied to a folder. It
operates like a safe with a time-lock. You could, I suppose, periodically
copy audit data to that folder where it can't be modified or deleted,
allegedly by anyone including the person who set the time, until the time
expires. So what happens if you reset the system clock?
Seriously... has anyone dealt with this requirement? What is actually
necessary to comply with it?
Thanks.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
